Some OS are more common than others, making it more easy to get a working situation. Unix (Linux) is the toughest to undertand well.
A worked out Unix (Linux) sample of middelware buisness and OS is at My Gathered Samples

Infrastructure components Life cycle

This is daily life. Using words and limited view of environments leading to much misundertanding

Middleware - tooling A,P

Statement:
The versions of the A and P environment (machines) of Middleware and OS level should be exact equal.
There is no other way the be able to find shortcoming in functionality at the business level.

Statement:
Newer versions of the A and P environment (machines) of Middleware and OS level should be tested with a well known production version of business logic with &quotregresion test&quot.
There is no other way the be able to find shortcoming in functionality at lower levels having impact at the business level.

Middleware - tooling LCM

The life cycle management of middelware.... To describe later

Failed dependicy Business logic

The life cycle management of business logic can not be managed by setting up machines.
Although you are naming machines D,T,A,P the business process does not match to machines. Trying to do this will fail.

The reason is: You are not sure the introduced difference in OS and Middleware will be the root-cause of a erroneous deployment to production.

Operating System - Hardware - Locations

The life cycle management of middleware.... To describe later

There is many hardware with a list of available operating systems.
Think of it by

Business advanced details

This is daily life. Using words and limited view of environments leading to much misundertanding

Business Logic

promote ship/deploy

The business logic can be maintained within a DTAP approach.

It uses a softwarelibray in wich artifacts are maintained.

With promotion it will copy or move in stages (DTAPZ).

The Z-stage is used for archiving the last production version

With deploy/ship it will copy/deploy the stage to an other (machine) environment.

When meta data is involved a dedicated technical approach (export/import) is an additional action
meta data is common to DBMS-systems (database managements systems) SAS has meta data server since version 9.

The get an exact identical copy from out of the softwarelibrary, it is sensible to clean up the target destination first.

With SAS the meta data servers in use DTAP segregation can be indicated as Lev4=D Lev3=T Lev2=A Lev1=P

parallel development

The business logic can be maintained parallel, tested in parallel.

Within D,T,A an emergency fix approach is possible. It is solving the issue of fixing production problems at the same moment normal maintenance is also done.

Within D,T parallel development is possible in aspect to big changes. at the same moment normal maintenance is also done.

In the Picture 5 parallel options are given: x (emergency-fix), standard, parallel-1 (u), parallel-1 (v), parallel-1 (w)
The letters x,u,v,w are used because they have no other meanings with DTAP.

Business data

primary process, bu

You need also business data. This is a part to segregate very well within DTAP. The best way the do it is by a well defined security approach.
Sometimes it is tried failing security to solve by hardware isolation. This can work well with the classic business logic development.

Analytics - Mining

Analytics - Mining ha an other goal. It is about to find information not known yet. As there is no process defined yet to find that information the only option is to develop the analytics on production-data.
This can be allowed as long the business data is not updated (just read-only) or isolated from the primary process location (data warehouse, data marts).
When there is an isolation defined on the level technology (networking) this is an impossible situation to get working.

Acceptance of production data

The resulting report of an analytics process done by dtap approach or directly on production data must be approved before published.

The approvement of the report can use words as acceptance quality etc. This process is total different to life cycle management of software or segregation of test-data.
Altough the same words are used a diferent action and the approval is a different way are executed.

It is production business software and production business data that must be used. Just the report / result must be reviewed.
The picture helps hopefully to understand. Needing a duplication of production data.

Soll Ist Templates

The information in my tables looks as very much information. The attempt is to define a template to be used by all middleware and all business applications.
As they can be overwhelming in Rbac projects in big organizations, it is very little I have left over of such a administration.

If this design template is accepted, the authorization process can set up highly automated. The same solution rolling out over and over again. Avoiding re-architecturing and all discussions.

Middleware Installation

Description needed Accounts

The technical owner (see OS security) can not be a personal account (key) therefore Non Personal Accounts must be used
The NPA&acutes classified why and when needed are:

inst&ltNPA&gt == installation account, used once or with fixes

conf&ltNPA&gt == configuration account, used sometimes

beh&ltNPA&gt == operational administration, used daily

adm&ltNPA&gt == Master admin account, used sometimes

spwn&ltNPA&gt == runtime service incoming request. When multiple services involved with different requirements to be duplicated

exec&ltNPA&gt == runtime service executing request. When multiple services involved with different requirements to be duplicated

root == needed in exceptions. Root bypasses all security, no group connections needed.

Accounts group connections - Accounts directories files

-mi

-mc

-ml

inst&ltNPA&gt

*

conf&ltNPA&gt

*

*

beh&ltNPA&gt

*

*

*

adm&ltNPA&gt

*

*

*

spwn&ltNPA&gt

*

*

*

exec&ltNPA&gt

*

*

*

root

-mi

-mc

-ml

&nbsp

-mi

-mc

-ml

-.r

inst&ltNPA&gt

r-x

r-x

conf&ltNPA&gt

rst

r-x

beh&ltNPA&gt

rst

r-x

adm&ltNPA&gt

r-x

spwn&ltNPA&gt

rst

r-x

exec&ltNPA&gt

rst

r-x

root

u-x

As runtime data does not be to be created by the technical owner, other accounts are able to become the owner of a file.
Even personal accounts are possible to be in place. Analysts and end-user-computing are causing this. In temporary data like &quot Unix \tmp &quot this a common situation.

To get the middelware to the business the installation group and configuration group, are to be connected to the business account (indication by column -m.)

As all accounts are NPA&acutes the limitation of em. is always included. Solved by nosshd(unix) or equal measures.

Middleware supporting Business

_sd

_st

_sa

_sp

_bd

_bt

_ba

_bp

_m.

em.

hm.

xsd

xst

xsa

xsp

xbd

xbt

xba

xbp

xmb

xmi

xmm

&nbsp

xmb

xmi

xmm

Midw admin bu spoc(1)

*

*

*

*

*

*

*

*

*

*

Infra admin os spoc(1)

*

*

*

*

*

*

*

*

*

*

Infra maintenance (1)

*

(several different middleware)

Midw admin bu spoc(2)

*

Infra admin os spoc(2)

*

Infra maintenance (2)

*

The implementation of the business environment is requiring that level of technical skills it is better to let it be implemented by specialists (infrastructure).
It most have controlled (auditable) access tot these business NPA&acutes. For that the change user (x..) rights are required.

The be able to test the whole line of business it is very sensible to have a business-like environment to do that. Call it a verification or education environment. It can be used for daily operations as logging and reporting.
There is nog business data involved no business logic. It will be a complete by security segregated environment.

Business environment segregations

Description needed Accounts

The technical owner (see OS security) can not be a personal account (key) therefore Non Personal Accounts must be used

The naming of the related groups and directories is kept the same or almost the same. This is assuming that reading all these tables, the technical difference between a groups, an account and a directory is kept in mind.

Accounts group connections

_sd

_st

_sa

_sp

_bd

_bt

_ba

_bp

_m.

em.

hm.

xsd

xst

xsa

xsp

xbd

xbt

xba

xbp

applid_sd

*

*

*

*

applid_st

*

*

*

*

*

applid_sa

*

*

*

*

*

applid_sp

*

*

*

*

applid_bd

*

*

*

*

*

*

*

*

applid_bt

*

*

*

*

*

*

*

applid_ba

*

*

*

*

*

*

applid_bp

*

*

*

*

*

In these group connections every NPA is connected to a combination of groups it can be used to do privileged task. No direct login is permitted em.
The technical owners of the business logic (applid_s&ltdtap&gt) have switch user rights to be able to using with promoting
The technical owners of the business data (applid_b&ltdtap&gt) have several additional group right. On Unix these can be file-transfer Cron or other operational services hm.

Business directory and file access

Bu Logic

-.d

-.t

-.a

-.p

&nbsp

-.d

-.t

-.a

-.p

_sd directory - Files

rwx

r-x

r-x

r-x

rwx

r-x

r-x

r-x

_st directory - Files

r-x

r-x

r-x

r-x

r-x

r-x

_sa directory - Files

r-x

r-x

r-x

r-x

_sp directory - Files

r-x

r-x

The access to directories, first four-dtap columns, is identical to those of files, second four-dtap columns.
As business logic is promoted and deployed/shipped with strict processes using the technical owners this is guaranteed.

Bu Data

-.d

-.t

-.a

-.p

&nbsp

-.d

-.t

-.a

-.p

_bd directory - files (1)

rwx

rw*

_bt directory - files (1)

r-x

r-*

_bt directory - files (2)

rsx

rw*

_bt directory - files (3)

rst

r?*

_ba directory - files (1)

r-x

r-*

_ba directory - files (2)

rsx

rw*

_ba directory - files (3)

rst

r?*

_bp directory - files (1)

r-x

r-*

_bp directory - files (2)

rsx

rw*

_bp directory - files (3)

rst

r?*

The access to directories, first four-dtap columns, can be different to those of files, second four-dtap columns.
As business data does not be to be created by the technical owner other accounts are able to become the owner of a file.
Even personal accounts are possible to be in place. Analysts and end-user-computing are causing this.

Business normal users

_sd

_st

_sa

_sp

_bd

_bt

_ba

_bp

_m.

em.

hm.

xsd

xst

xsa

xsp

xbd

xbt

xba

xbp

BU Developer

*

*

*

*

*

*

*

*

BU Tester

*

*

*

*

*

*

BU Acpt tester

*

*

*

*

BU User Standard

*

*

*

BU User Analyst

*

*

*

Granting the access to business users is the most simple off all. Granting the needed groups to their role.
The list of all middleware groups is combined it the -m. column.

The support staff at business side is a combination of other groups.

Some combinations of groups are not allowed underpinned by &quotsegregation of duties&quot conforming the business policies and risk impact analyses.

Business support

_sd

_st

_sa

_sp

_bd

_bt

_ba

_bp

_m.

em.

hm.

xsd

xst

xsa

xsp

xbd

xbt

xba

xbp

BU Test Data manager

*

BU Acpt Data manager

*

BU Prod Data manager

*

_sd

_st

_sa

_sp

_bd

_bt

_ba

_bp

_m.

em.

hm.

xsd

xst

xsa

xsp

xbd

xbt

xba

xbp

BU Software manager(D)T

*

*

*

*

BU Software manager(T)A

*

*

*

*

*

BU Software manager(A)P

*

*

*

*

*

Auditor

*

*

*

*

Legend of used indications

Group types
These are found at the rows
Acces rights from accounts (personal/nonpersonal) or logical roles(person) are granted by grouping them. The technical implementation can also be by groups.
The only indication is member of the group or not by &qut*&quot.

The columns are classified by the type of rights in connecting it to the grouping.

Middleware is different to segregation compared to business. The segregation in DTAP of the business is not needed.
To be able to do acceptance testing of infra components there should be no difference in infra with DTAP of the business.

The installation of infra components can not be owned by persons. Non Personalized Accounts (NPA-s) must be used. In some special cases even the root-key is involved.
The files directories can be classified in

i = Installation owner is the installer-NPA, defined group is opening up middleware to business

c = Configuration owner is an administrator-NPA, can be combined with installation group (risk assessment)

Version tools

SVN Apache

Subversion exists to be universally recognized and adopted as an open-source,
centralized version control system characterized by its reliability as a safe haven for valuable data; the simplicity of its model and usage;
and its ability to support the needs of a wide variety of users and projects, from individuals to large-scale enterprise operations.

CVS

CVS (wiki) CVS CVS is a version control system, an important component of Source Configuration Management (SCM).
Using it, you can record the history of sources files, and documents. It fills a similar role to the free software RCS, PRCS, and Aegis packages.